Thanks a lot. I’ll try it.

i have 2 pair of ASA on a 2 geographic locations. How this can work with SSO users then?

Once I finish this procedure, it means that 1 cluster will use MFA for SSO users which is what I want

but is it possible to add another cluster? (Different FQDN) my assumption that it will be considered as a separate deployment, but will the MFA can be use for both? 
I’m confused about how this will work in my scenario 

thanks

2 separate locations with different ASAs will have different FQDNs so it's no problem.

That means I will need to setup another SSO under anyconnect application on Azure MFA?

Yes - a different site's ASA also using SAML will be a second instance (or "service provider" as it's known in SAML terminology) from the perspective of your Azure dashboard.

Ok test passing it (from Azure-anyconnect configuration page)

but when I actually try to connect, it let me complete the MFA (approving on my mobile app) and then I get:

Login denied, unauthorized connection mechanism, contact your administrator.

:(

ideas?

This error can be caused by a variety of different misconfigurations, such as SSL certificate settings, VPN Tunnel settings or an issue with the connection profile itself

Can you share your ASA side remote access (SSL) VPN configuration? Such as the output of:

show run all group-policy DfltGrpPolicy
show run all tunnel-group DfltWEBVPNGrp

(or whatever group-policy and tunnel-group (connection profile) you are using if other than the defaults)

See below output:

one more note. when I add ssl-client to the group-policy and I try anyconnect, I get the message: "Unable to update the session management database."

When I have the configuration below and try anyconnect, I get the error message I mentioned above: "Login denied, unauthorized connection mechanism, contact your administrator."

# sh run all group-policy NOACCESS
group-policy NOACCESS internal
group-policy NOACCESS attributes
 dns-server value 1.1.1.1
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ssl-clientless


# sh run all tunnel-group anyconnect
 tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
 address-pool VPN_POOL
 no ipv6-address-pool
 authentication-server-group LOCAL
 secondary-authentication-server-group none
 no accounting-server-group
 default-group-policy NOACCESS
 no dhcp-server
 no strip-realm
 no nat-assigned-to-public-ip
 no scep-enrollment enable
 no password-management
 no strip-group
 no authorization-required
 username-from-certificate CN OU
 secondary-username-from-certificate CN OU
 authentication-attr-from-server primary
 authenticated-session-username primary
tunnel-group anyconnect webvpn-attributes
 customization DfltCustomization
 authentication saml
 no override-svc-download
 no radius-reject-message
 no proxy-auth sdi
 no pre-fill-username client
 no pre-fill-username clientless
 no secondary-pre-fill-username client
 no secondary-pre-fill-username clientless
 group-alias VPN enable
 dns-group DefaultDNS
 no without-csd
 saml identity-provider https://sts.windows.net/************************/
tunnel-group anyconnect ipsec-attributes
 no ikev1 pre-shared-key
 peer-id-validate req
 no chain
 no ikev1 trust-point
 no ikev1 radius-sdi-xauth
 isakmp keepalive threshold 300 retry 2
 ikev1 user-authentication xauth
 no ikev2 remote-authentication
 no ikev2 local-authentication
tunnel-group anyconnect ppp-attributes
 no authentication pap
 authentication chap
 authentication ms-chap-v1
 no authentication ms-chap-v2
 no authentication eap-proxy

Thanks

I understand what is the issue now, but don't really know what is the solution here.

before SAML, I used LDAP where I have two different group-policies that I mapped

ANYCONNECT-POLICY
IT_ANYCONNECT_POLICY

when SAML configured, it always fall to the default-group-policy. so I took one of these groups above and assigned it as a default-group-policy (in general attributes) -- IT WORKS!!!

but that's not the best practice of course since I want to have the two different groups above

while the default-group-policy to "block" unauthorised users.

- is this is possible? if so, how?

- saml+ldap so I can have two group-policies while the saml used for MFA only?

I'm confused what can be done now

There's most likely something wrong with the group policy you are using (other than the noaccess one).

Can you share the configuration of that (and the default one in case you aren't hitting the desired one)?

When I put tone of the group policy as a default it connected with saml. But I have two groups that I want to use while default group will be for no access.

the thing that I realised is nothing point to any group so it fall on default 

should I use the ldap to indicate what group as normal under the general attributes? (I thought ldap removed completely)

Under each "tunnel-group <group name> general-attributes" configuration stanza you should indicate your preferred group-policy.

Something like this:

tunnel-group TG-VPN_SSO general-attributes
 default-group-policy GP_VPN_SSO

If you don't specify a group-policy there, clients connecting to that tunnel-group (aka connection profile in ASDM and seen as the alias in the dropdown list in the AnyConnect client or as redirected by policy if you are using LDAP authorization results) will use the default group policy.

So only ldap can indicate the ASA which policy group to use?

in this case, I should have ldap configured under general attributes 

am I correct?

thanks

The client selecting a choice from a dropdown is he most common way I see it used. However you have the default NOACCESS option which implies you are expecting some other method. Other methods include getting the correct group from an LDAP attribute-map as well as things like using a URL alias directly.

You haven't shared what your overall setup is so we can only guess what the intention is for your system.